XOR DDoS botnet - weak passwords

"XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There's no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai's advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware."

http://arstechnica.com/security/2015/09/botnet-preying-on-linux-compute…

https://www.stateoftheinternet.com/downloads/pdfs/2015-threat-advisory-…